Following the euphoria of the success of the operation by the police of many countries, privacy and security experts have begun to question how the police were able to locate the servers hosting hidden services and operators who ran the illegal activities. Members of the Tor project published a blog post titled Thoughts and Concerns about Operation Onymous, in which they try to explain how low enforcement managed to locate the hidden services.

“Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used.” states the post.

they hypothesized that law enforcement has exploited one of the following scenarios:

Lack of Operational Security of hidden services.

Exploitation of bugs in the web application.

Bitcoin de-anonymization.

Attacks on the Tor network.

The anonymity of the location of a server behind a hidden service is ensured under the following conditions:

The hidden service must be properly configured.

The web server should be not vulnerable, this means that it must be not affected by any flaw and must be properly configured.

The web application should have no flaws.

An attacker that is able to exploit a vulnerability in the web server or in the web application (e.g. the e-commerce system exposed by the operators to propose the illegal products) could easily hack the targeted hidden service.

For example the presence of an SQL injection flaw could give the access to many functions of the hidden service, could allow attacker to dump its database.

Security Researcher at Kaspersky, Stefan Tanase and Sergey Lozhkin wrote an interesting blog post that analyzes the impact over the Dark Web of the operation conducted by law enforcement recently.

According to the researchers the takedown affected a limited number of Onion sites, just 5 percent, meanwhile nearly 21 percent are still alive and 74 percent of the onion addresses are offline.

“Right now there are 4 times more hidden websites online in the Tor network than those that were shutdown.” states the researchers in the post.

Security experts consider the effect as transient, unfortunately, the cybercrime is quite impossible to eradicate completely, and the researchers are conscious that new illegal services soon will replace the website that are taken down.

Experts at Kaspersky have analyzed the number of hidden services being set-up after the takedown related to the Operation Onymous, in the following graph represents the amount of new .onion addresses appearing each day and it is evident a spike just after the operation of law enforcement.

The analysis of the lifetime of the Onion-sites which were taken down in the Operation Onymous shows that the majority of the targeted website were alive for at least 200 days on average, but usually not more than 300 days.

The experts at Kaspersky explained that to de-anonymize Tor users, it is possible to compromise a poorly configured server or the web application it exposes, this means that there is no need to search and exploit an alleged vulnerability in Tor architecture.

The researchers state that to locate a physical location of a server is it possible to compromise it installing a backdoor, for example exploiting a vulnerability in a third-party application used by a dark marketplace.

Another possibility for law enforcement is to try to compromise the machine of the administrator, localized through ordinary investigations, of an illegal website with spyware, in this way the agents access to its machine and steal information on his activities and network of contacts.

“This could be easier than it seems: for example, if a vulnerability is found in a hidden service, it is possible to rig it’s admin page with an exploit and wait for when the drug shop administrator will access his site. Then he would be infected with malware as a result of this highly targeted waterhole attack.” states the post.

The researchers also mentioned the possibility to infiltrate the operators of the dark market or hit them with spear-phishing

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.